I seen that there is no real-time monitor for ClamWin, so I wrote one.
It hooks API functions CreateProcessA/W, LoadLibraryA/W, LoadLibraryExA/W and then checks them using libclamav. Also it stores checked DLL hashes so it slows down only on first bootup of ClamMon.

Download

There are all binary and source files in archive

Installation
INSTALL AT YOUR OWN RISK, seems to be unstable.
1) Unpack archive, for example, to c:\clammon. This path will be used in the future.
2) Open regedit.exe, find key [HKLM/SOFTWARE/Microsoft/Windows NT/Current Version/Windows] and put text "c:\clammon\monitor.dll" (without quotes) to AppInit_DLLs parameter
3) Reboot
4a) If you don't want run ClamMon as service, simply run it from c:\clammon directory
4b) If you want to run it as service, run cmd.exe and type following commands:
cd c:\clammon
instsrv "ClamMon Antivirus Monitor" c:\clammon\srvany.exe
and close its window. Then (in regedit) open [HKLM/System/CurrentControlSet/Services/ClamMon Antivirus Monitor] and create key "Parameters" (without quotes) in it. Create parameter "Application" with value "c:\clammon\clammon.exe". Reboot.

Tests
Tested on XP Professional SP2 (two comps.), XP Tablet PC Edition (on HP Pavillion tx1000 notebook)

API hooks can be circumvented much easier than a file system filter driver therefore we decided not to use it in clamwin.

perhaps your stuff is very interesting
latest svn code (upcoming 0.92 release) and devel
is compilable by mingw (it seems you are compiling with mingw, or I'm wrong? .msp are a sort of project files?)
(look at contrib/msvc/mingw directory)

EjectLib looks familiar I use the same trick in --unload
but it's no so safe

An update.
This version was tested on 5 computers during 2 months and a) did not caused any errors b) catched all viruses which was downloaded from internet, started from flash sticks (around 10). Also I made ClamMon real service (without srvany), a nice installer and added cache for checked files - now it firstly checks MD5 of file and if it wasn't found in cache scans it.
It ever did not conflicted with AVP on my computer

Yes, but, as I thinked, any virus is firstly launched with IE (downloaded file or ActiveX; isn't ActiveX a dll?), Windows Explorer or some other program that will be 99.9% use WinAPI so i can intercept it, so even userspace monitor is rather effective.

I don't really use it in my code, i saved it for future

I visited the site and noted that it was trying to download files to my computer--they were not successful. I don't know what they were, but if active-X was not disabled, I might have found out! Anyway, they were attempting to give me files that I didn't give them permission to do so.

Watch out!

Regards,

Aren't they simply redirect you to that file? I don't understand what do you mean under "attempting to give me files".

You are probably right--it's more than likely an automated download--similar to what a lot of Web sites do anywhere. It takes a few seconds to load, and then IE gives the warning. Nevertheless, it's at a RU domain, the page is in Russian, Russia is home of the famous RBN, and I'm paranoid! It might be better to explain this is going to happen alongside the link as it is listed above.

Thanks for pointing it out.

Regards,

@whitequark:

Cacheing of checked file hashes is an interesting approach - I like it. The overhead of real-time AV checking and re-checking and re-checking and re-checking.......every file read/write operation is a significant overhead task and does affect system performance.

Once the files on disk have been established as "safe" there is really no further need to check those files. There is only the need to monitor and check new incoming files from the open attack vectors prior to opening them or writing to disk. Files residing on the hard drive are not an open attack vector. Yes, I suspect that if malware did penetrate one's system then the on-disk files could be compromised. But, would that situation really be any different - as far as effective protection - from today's other real-time AV...maybe, but if the malware did penetrate - i.e. it got by the real-time scanning of incoming files - then the real-time AV would not catch the compromised files on the next read/write operation anyway. Granted, AV databases are updated and presumably would eventually catch the compromised files on a read/write operation. But, that philosophy should be reasonably balanced by utilizing scheduled scans that would catch the compromised files also. Thus, leaving IMHO, at the very least a 50/50 argument against scanning of every read/write operation and thus, offering a notable reduction in system overhead when it comes to AV protection.

Anyway, nice approach!!! I for one will take a good look at your implementation...I just hope the download site isn't too aggressive at pushing something other than your software onto my system!!!

I downloaded the binary in a virtual machine without any problems, and Jotti says it is clear. I'm just too careful, I guess. I set it up in the virtual machine and will trial it. I'll post again after using it a while. It looks like they set up the download as automatic because the page it's on is all in Russian. It looks interesting.

Questions: for whitequark: with the installer, are the changes made to the registry now, or does a user still have to make them manually? After installation, the ClamMon icon in the system tray is not very bright, and there are no tooltips on it--is this normal? Did you test the monitor with FireFox? Does the user get any message when the monitor finds a virus? I saw what looked like an old DOS screen once, but it just blinked on and off.

Regards,

slil.ru is Russian free file hosting service (as Rapidshare is).

Yes, all neccessary changes to registry are done automatically.

ClamMon needs ClamWin to be installed, so you will see two icons in tray. Blue is ClamWin tray icon (standard), and gray is ClamMon icon. It will pink with red when scanning a file. It will not show any tooltips because I am too lazy to make them , but it shows balloon notifications on every scanned file.

Yes. It works with it as with any other app.

It will display a dialog asking you what do you want to do with infected file: delete it or only block access. It will show the dialog even before logon to Windows, because ClamMon is running as service.

I did not noticed any kind of this on my machine, but: ClamMon service is console app, normally Windows will not show it's window, but in your case (maybe VM is too slow?) you seen the window.

Anyway, you can test its functionality with Eicar Test Virus: https://www.eicar.org/anti_virus_test_file.htm https://www.eicar.org/anti_virus_test_file.htm, for example, download and run it with firefox.

Hello whitequark,

this is a very interesting start for a realtime monitor combined with clamwin. I have downloaded and installed it under Vista home premium 32 Bit. I didn't get any installation errors and the service is running (according to Process Explorer). Anyway I cannot see the grey clammon tray, although process explorer does show it. Does this mean the clammonitor ist not working or functional in Vista?

Thank you and regards

freefighter

I had the gray icon in System Tray, and both the Monitor Tray and Monitor were listed in Task Manager, but it failed to detect an EICAR download two times. Perhaps you have made some changes to the program since you tested it--maybe in the links to ClamWin resources (the signature database(s)??). I have created an extra heuristic/intrusion database--would this cause any problems? Also, Clam has changed their database(s) in the last six weeks or so--will it handle that?

Regards,

I use the technique of injecting DLLs with AppInit_DLLs registry key. I googled it and firstly determined that
,
but then found another page, saying:

My DLL isn't signed (I only now found that. I hate vista and even didn't thinked about running ClamMon on it; I simply forgot it:)
If I find some disk space, vista DVD and muuch time, I make ClamMon vista-compatible. But now it isn't, sorry. Maybe, someone with Vista will agree to help me to make vista-version.


The installer picks ClamWin database path from registry, you seen it when it asked you about options. It, additionally, checks existance of path so the link to ClamWin database is good. (After writing the text, I thinked: why I use registry key for database path other than ClamWin does? Perhaps I wrote that code late at night ;)).
Anyway, it uses cl_dbload func transferring it database path, so, because I use last version of libclamav (0.92.1.0), it will load database from same ClamWin version normally.


ClamMon does not check the data you write/read to/from disk, nor receiving from network. It only hooks to these functions: LoadLibrary(A/W)(Ex), CreateProcess(A/W). So, it will catch executable viruses when they are launched (including autorun), trojan DLLs when they are loaded or launched with rundll23. Now it will not catch script viruses, but I am working on it.
So, to make ClamMon detect EICAR "virus" you need to launch it first.
And, I hope, are you installed it on XP? As I wrote above, now it will not work on Vista!

P.S. time shift is funny. now there is 21:08 on my clock :)

I reinstalled ClamMon into the default directory c:\clamMon, rather than putting it in the c:\program files directory I had it in originally, and it now seems to be working--it detects EICAR and a couple of more malwares I tried it on. Some people like to chose the directory where their programs are, and the installer has this option, so this should be considered in ClamMon. If not, then the installer should not have that option.

ClamMon doesn't seem to find any files containing the "extra" additional signatures I have prepared. I created the original files for the signatures in a Notepad file, and then also created the signatues in a Notepad file. When I open the orignal files, ClamMon seems to only scan the Notepad executable and doesn't find them infected, but when I scan them with ClamWin's on-demand scanner, it does find the infections. I don't know if this is a bug--the files aren't really executables.

You've done quite a bit of work, whitequark, and I think it has potential. It can provide some easly-to-use real-time scanning protection for Clamwin users until the "official" ClamWin RT scanner becomes available, and then it could possibly be modified to add some additional protection that ClamAV does not have (rootkits, PE heuristics, browser??). As for script detection, most antivirus programs seem to have trouble detecting them. Clam recently included a separate category for scripts (6).

I'll use ClamMon for a while with a behavior blocker for backup and get back here with comments.

Regards,